Password resets

Mike McGrath mmcgrath at redhat.com
Wed Mar 11 17:35:49 UTC 2009


On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
> >
> 5. Password resets could be introducing less secure passwords.  This
> one's hard for me to quantify.  If you use a strong password the first
> time, what's the likelihood that each reset will bring some number of
> users to use an insecure password?  What's the likelihood of someone
> using an insecure password to use a more secure password next time (?
>
> This can be partially mitigated by using a password strength checker but
> it was pointed out to me that a strength checker 1) doesn't catch things
> like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
> as devious as someone trying to crack passwords.
>
> #2 is a bug in the strength checker but we're likely to have to
> continuously work on the upstream software in order to keep things
> secure.  Without the reward of knowing how much security we're gaining.
>
> #1... I don't have a solution for.
>

I'd think http://www.nongnu.org/python-crack/ is a good start.

>
> Would not doing a password expiration but just an account expiration be
> okay?  I think that we can cover a pretty broad swathe of contributors
> with something that ties into people logging into fas (because we use
> json to log people in to web services including the wiki and they need
> to login to get a certificate to use koji/lookaside).  We'd just have to
> expire accounts on a longer interval than the ssl certs... like 6 months
> for certs and 7 months for accounts.
>
> Thoughts on implementing alternate means of checking activity here:
> https://fedorahosted.org/fedora-infrastructure/ticket/1237
>

I think we shouldn't go too far out of our way for people that can't
follow directions.  Harsh?  Yes, but what we asked of people was
incredibly trivial.  I'd be fine with asking people to log in but I'd
think we'll find lots of people find that confusing.  Logging in and
setting your password is a task that has a clear begining and end.  I can
see people logging in expecting to see further directions and then asking
"now what"?

We've just got so much else to do I'd hate to spend a lot of time and
effort to please a few people that can't spend less then a minute a year
(15 seconds every 2 months) to log in and type their password a couple of
times and the people that complained couldn't do that.

If someone has time to implement some grand scheme, that's fine.  I know I
don't.  The changes suggested about aliases and home dirs are good ones.

	-Mike




More information about the infrastructure mailing list